Remove the target interface parameter from iptablesPhysdevForward().
This rule is intended to allow frames to be forwarded across the
bridge from the supplied bridge port. In this context, the --out
parameter would match the outgoing bridge port, which will never
be network->def->forwardDev.
Signed-off-by: Mark McLoughlin <markmc@xxxxxxxxxx>
Index: libvirt/qemud/iptables.c
===================================================================
--- libvirt.orig/qemud/iptables.c
+++ libvirt/qemud/iptables.c
@@ -577,41 +577,28 @@ iptablesRemoveUdpInput(iptablesContext *
static int
iptablesPhysdevForward(iptablesContext *ctx,
const char *iface,
- const char *target,
int action)
{
- if (target && target[0]) {
- return iptablesAddRemoveRule(ctx->forward_filter,
- action,
- "--match", "physdev",
- "--physdev-in", iface,
- "--out", target,
- "--jump", "ACCEPT",
- NULL);
- } else {
- return iptablesAddRemoveRule(ctx->forward_filter,
- action,
- "--match", "physdev",
- "--physdev-in", iface,
- "--jump", "ACCEPT",
- NULL);
- }
+ return iptablesAddRemoveRule(ctx->forward_filter,
+ action,
+ "--match", "physdev",
+ "--physdev-in", iface,
+ "--jump", "ACCEPT",
+ NULL);
}
int
iptablesAddPhysdevForward(iptablesContext *ctx,
- const char *iface,
- const char *target)
+ const char *iface)
{
- return iptablesPhysdevForward(ctx, iface, target, ADD);
+ return iptablesPhysdevForward(ctx, iface, ADD);
}
int
iptablesRemovePhysdevForward(iptablesContext *ctx,
- const char *iface,
- const char *target)
+ const char *iface)
{
- return iptablesPhysdevForward(ctx, iface, target, REMOVE);
+ return iptablesPhysdevForward(ctx, iface, REMOVE);
}
static int
Index: libvirt/qemud/iptables.h
===================================================================
--- libvirt.orig/qemud/iptables.h
+++ libvirt/qemud/iptables.h
@@ -42,11 +42,9 @@ int iptablesRemoveUdpInput
int port);
int iptablesAddPhysdevForward (iptablesContext *ctx,
- const char *iface,
- const char *target);
+ const char *iface);
int iptablesRemovePhysdevForward (iptablesContext *ctx,
- const char *iface,
- const char *target);
+ const char *iface);
int iptablesAddInterfaceForward (iptablesContext *ctx,
const char *iface,
Index: libvirt/qemud/conf.c
===================================================================
--- libvirt.orig/qemud/conf.c
+++ libvirt/qemud/conf.c
@@ -1128,7 +1128,7 @@ qemudNetworkIfaceConnect(struct qemud_se
}
if (net->type == QEMUD_NET_NETWORK && network->def->forward) {
- if ((err = iptablesAddPhysdevForward(server->iptables, ifname, network->def->forwardDev))) {
+ if ((err = iptablesAddPhysdevForward(server->iptables, ifname))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"Failed to add iptables rule to allow bridging from '%s' :%s",
ifname, strerror(err));
@@ -1152,7 +1152,7 @@ qemudNetworkIfaceConnect(struct qemud_se
no_memory:
if (net->type == QEMUD_NET_NETWORK && network->def->forward)
- iptablesRemovePhysdevForward(server->iptables, ifname, network->def->forwardDev);
+ iptablesRemovePhysdevForward(server->iptables, ifname);
qemudReportError(server, VIR_ERR_NO_MEMORY, "tapfds");
error:
if (retval)
Index: libvirt/qemud/qemud.c
===================================================================
--- libvirt.orig/qemud/qemud.c
+++ libvirt/qemud/qemud.c
@@ -1042,8 +1042,7 @@ qemudNetworkIfaceDisconnect(struct qemud
return;
}
- if (network->def->forward)
- iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname, network->def->forwardDev);
+ iptablesRemovePhysdevForward(server->iptables, net->dst.network.ifname);
}
int qemudShutdownVMDaemon(struct qemud_server *server, struct qemud_vm *vm) {
@@ -1242,83 +1241,87 @@ qemudAddIptablesRules(struct qemud_serve
}
/* allow bridging from the bridge interface itself */
- if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge, network->def->forwardDev))) {
+ if ((err = iptablesAddPhysdevForward(server->iptables, network->bridge))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
"failed to add iptables rule to allow bridging from '%s' : %s\n",
network->bridge, strerror(err));
goto err1;
}
- /* allow forwarding packets from the bridge interface */
- if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
+ /* allow DHCP requests through to dnsmasq */
+ if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
- "failed to add iptables rule to allow forwarding from '%s' : %s\n",
+ "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
network->bridge, strerror(err));
goto err2;
}
- /* allow forwarding packets to the bridge interface if they are part of an existing connection */
- if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
+ if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
- "failed to add iptables rule to allow forwarding to '%s' : %s\n",
+ "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
network->bridge, strerror(err));
goto err3;
}
- /* enable masquerading */
- if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
+ /* allow DNS requests through to dnsmasq */
+ if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
- "failed to add iptables rule to enable masquerading : %s\n",
- strerror(err));
+ "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
+ network->bridge, strerror(err));
goto err4;
}
- /* allow DHCP requests through to dnsmasq */
- if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 67))) {
+ if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
- "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
+ "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
network->bridge, strerror(err));
goto err5;
}
- if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 67))) {
+ /* The remaining rules are only needed for IP forwarding */
+ if (!network->def->forward)
+ return 1;
+
+ /* allow forwarding packets from the bridge interface */
+ if ((err = iptablesAddInterfaceForward(server->iptables, network->bridge, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
- "failed to add iptables rule to allow DHCP requests from '%s' : %s\n",
+ "failed to add iptables rule to allow forwarding from '%s' : %s\n",
network->bridge, strerror(err));
goto err6;
}
- /* allow DNS requests through to dnsmasq */
- if ((err = iptablesAddTcpInput(server->iptables, network->bridge, 53))) {
+ /* allow forwarding packets to the bridge interface if they are part of an existing connection */
+ if ((err = iptablesAddStateForward(server->iptables, network->bridge, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
- "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
+ "failed to add iptables rule to allow forwarding to '%s' : %s\n",
network->bridge, strerror(err));
goto err7;
}
- if ((err = iptablesAddUdpInput(server->iptables, network->bridge, 53))) {
+ /* enable masquerading */
+ if ((err = iptablesAddNonBridgedMasq(server->iptables, network->def->forwardDev))) {
qemudReportError(server, VIR_ERR_INTERNAL_ERROR,
- "failed to add iptables rule to allow DNS requests from '%s' : %s\n",
- network->bridge, strerror(err));
+ "failed to add iptables rule to enable masquerading : %s\n",
+ strerror(err));
goto err8;
}
return 1;
err8:
- iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
+ iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
err7:
- iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
+ iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
err6:
- iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
+ iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
err5:
- iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
+ iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
err4:
- iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
+ iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
err3:
- iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
+ iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
err2:
- iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
+ iptablesRemovePhysdevForward(server->iptables, network->bridge);
err1:
return 0;
}
@@ -1327,15 +1330,15 @@ static void
qemudRemoveIptablesRules(struct qemud_server *server,
struct qemud_network *network) {
if (network->def->forward) {
- iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
- iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
- iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
- iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
iptablesRemoveNonBridgedMasq(server->iptables, network->def->forwardDev);
iptablesRemoveStateForward(server->iptables, network->bridge, network->def->forwardDev);
iptablesRemoveInterfaceForward(server->iptables, network->bridge, network->def->forwardDev);
- iptablesRemovePhysdevForward(server->iptables, network->bridge, network->def->forwardDev);
}
+ iptablesRemoveUdpInput(server->iptables, network->bridge, 53);
+ iptablesRemoveTcpInput(server->iptables, network->bridge, 53);
+ iptablesRemoveUdpInput(server->iptables, network->bridge, 67);
+ iptablesRemoveTcpInput(server->iptables, network->bridge, 67);
+ iptablesRemovePhysdevForward(server->iptables, network->bridge);
}
static int
@@ -1412,8 +1415,7 @@ int qemudStartNetworkDaemon(struct qemud
goto err_delbr;
}
- if (network->def->forward &&
- !qemudAddIptablesRules(server, network))
+ if (!qemudAddIptablesRules(server, network))
goto err_delbr1;
if (network->def->forward &&
--